cimt
NL

Privacy & Cookies

Privacy & Cookies

Last updated: 2026-05-28

This is the privacy policy of cimt B.V., registered in Vught (Netherlands), KvK number 27315486, VAT number NL819170276B01. We respect your privacy and handle personal data carefully. This policy describes which data we process, why, for how long, and what your rights are — in line with the General Data Protection Regulation (GDPR).

Who is the data controller

The data controller for information you provide through cimt.nl is:

cimt B.V.
Sparrendaalseweg 5, 5262 LR Vught, Netherlands
KvK: 27315486 · VAT: NL819170276B01
Email: [email protected]

For privacy-specific questions: [email protected] (or via your client contact).

Which data we process

We only process data you actively provide through a form, email or phone call. cimt.nl uses no trackers, fingerprinting or marketing cookies.

  • Contact form — Step 1: name, organisation, email address. Step 2 (optional): role, topic, timeline, message.
  • Quote requests — name, organisation, email, product of interest, indication of users/capacity, current tooling (optional), message (optional).
  • Applications via [email protected] — information you include in your email (CV, motivation).
  • Transactional email — on a form submission we send a confirmation/auto-reply to your address and an internal notification to [email protected] via Brevo. For this, Brevo processes your name and email address.
  • Newsletter subscription — if you subscribe to the cimt newsletter we process your email address and (if provided) first name, organisation and language preference, plus the timestamp and source of your consent (audit trail). Subscription always uses double opt-in: you receive a confirmation email and your address is only activated after you click the confirmation link.
  • Newsletter to existing clients — we periodically send clients of cimt B.V. a newsletter about similar services (Dutch Telecommunications Act article 11.7 / "soft opt-in"), with a clear opt-out in every message. You can unsubscribe at any time via the link at the bottom of every email or by emailing [email protected].
  • Spam protection — forms are protected with Cloudflare Turnstile, a privacy-friendly CAPTCHA alternative that uses no cookies or tracking.
  • Server logs — Cloudflare maintains anonymised access logs for security (bot protection, DDoS mitigation).
  • Cookieless analytics — Plausible collects aggregated, non-personal statistics (page views, referrers, device category) without cookies or unique identifiers. Always on; no consent required.
  • Analytics cookies (optional) — only after your consent do we load Google Tag Manager + Google Analytics 4. These set cookies to measure visit behaviour. Without consent they are not loaded and no cookies are set.

Why we process this data

  • Answering your question or quote request — basis: pre-contractual action on your request (GDPR article 6(1)(b)).
  • Processing your application — basis: pre-contractual action on your request.
  • Security of cimt.nl — basis: our legitimate interest (GDPR article 6(1)(f)) in stable service delivery.
  • Aggregated statistics — basis: legitimate interest in improving our website. Plausible does not process personal data.
  • Newsletter to leads — basis: your consent (GDPR article 6(1)(a)), obtained through double opt-in. You can withdraw this consent at any time.
  • Newsletter to clients — basis: legitimate interest (GDPR article 6(1)(f)) combined with the "soft opt-in" of the Dutch Telecommunications Act article 11.7 — information about similar services to existing clients, with an opt-out in every message.

How long we keep data

  • Contact form submissions — 90 days in our backup store, then automatically deleted. Emails in our mailbox we keep for up to 24 months unless there is an active engagement.
  • Quote requests — equal to contact form; upon conversion to client the data moves to client administration with retention as required by tax law (7 years).
  • Applications — maximum 4 weeks after the application process closes, unless you explicitly consent to longer retention (max 1 year).
  • Newsletter subscription — we retain your subscription data for as long as you remain subscribed. Upon unsubscribing, Brevo removes your active data and retains only a minimal suppression list (email address only) to prevent accidental re-subscription. Our backup record of the subscription request (audit trail) is automatically deleted after 90 days.
  • Server logs and analytics — Plausible retains aggregated data; Cloudflare anonymises logs within 24 hours.

With whom we share data (processors)

Our website uses the following processors:

  • Cloudflare, Inc. — hosting (Cloudflare Pages), DDoS protection, security logs and Turnstile spam protection. Data Processing Agreement (DPA) in place. EU data routing where the plan supports it.
  • Brevo SAS (Paris, France) — delivery of transactional emails (auto-reply and internal notification on form submissions) and delivery of the cimt newsletter. For the newsletter, Brevo also manages the contact list, the double opt-in process, and aggregated open/click statistics. Processes name, email address, organisation, language preference, product interest and opt-in metadata (timestamp + source). Servers in the EU; GDPR-compliant Data Processing Agreement (DPA) in place. Authentication via SPF/DKIM/DMARC on cimt.nl.
  • Plausible Insights OÜ — cookieless analytics, hosted in the EU (Germany). Processes no personal data; DPA not strictly required but in place.
  • Microsoft Corporation — Microsoft 365 for business email and Microsoft Bookings for appointments. EU tenant. DPA via Microsoft Online Services terms.
  • Google Ireland Ltd. — Google Tag Manager + Google Analytics 4, only after your consent. Processes pseudonymous usage and device data via cookies. Processing may (partly) take place outside the EU under the EU-US Data Privacy Framework safeguards; processing terms via Google Ads Data Processing Terms.
  • cimt AG group (Gitea) — source code and CMS content are managed on the cimt group's own Gitea environment (gitea.cgn.cimt.de), within the EU. Contains no visitor personal data — only website content and editorial.

We never sell personal data to third parties and don't use it for marketing purposes beyond answering your own question.

Cookies and tracking

cimt.nl sets no cookies by default. Our primary analytics (Plausible) is cookieless and privacy-friendly by design and runs without consent. Google's analytics cookies (Tag Manager / Analytics 4) are only set after you give consent via the cookie banner. You can change your choice any time via the "Cookie settings" link at the bottom of every page; if you decline, these cookies are not set.

The embedded Microsoft Bookings widget on the Contact page may set cookies within its own iframe for booking functionality. Because you only reach that page after a deliberate action (clicking "book a conversation"), this falls under the "necessary for a user-requested service" exception to the Dutch Telecommunications Act (cookie law) — no separate consent required.

Your rights

Under the GDPR you have the right to:

  • Access — an overview of which data we process about you.
  • Correction — have incorrect or incomplete data updated.
  • Deletion — have your data deleted (right to be forgotten).
  • Restriction — temporarily pause processing.
  • Objection — object to processing on the basis of legitimate interest.
  • Data portability — receive your data in a structured format.

You can exercise these rights by emailing [email protected]. We respond within one month. Not satisfied with how we handle your data? You can file a complaint with the Dutch Data Protection Authority.

Changes to this policy

We may amend this privacy policy from time to time, for example when we introduce new services or when legislation requires it. Changes are published on this page with a new "last updated" date at the top.

Version 2026-05-28. Questions or comments? [email protected].